Method to disable a network access application in a secure element

ABSTRACT

A method comprises causing a network access application or cellular authentication in a secure element to be disabled by changing a status of security information. In one embodiment, a method is provided to disable the network access applications of a UICC, in case of an emergency call, by resetting a verification status of the PIN.

FIELD

The invention relates to a method and apparatus and in particular butnot exclusively to a method and apparatus for making emergency calls.

BACKGROUND

A communication system enables communication between two or morecommunication devices such as user terminals, base stations and/or othernodes by providing carriers between the communication devices. In awireless communication system at least a part of communications betweenat least two stations occurs over wireless interfaces. A user can accessa communication system by means of an appropriate communication deviceor terminal. A communication device is provided with an appropriatesignal receiving and transmitting apparatus for enabling communications,for example enabling access to a communication network or communicationsdirectly with other users. The communication device may access one orseveral carriers provided by a station, for example a base station of acell, and transmit and/or receive communications on the carriers.

The communication device is provided with at least one SIM (subscriberidentity module) or similar functionality for network access (e.g. IPMultimedia Subsystem SIM (ISIM), CDMA (code division multiple access)SIM (C-SIM), removable user identity module (R-UIM), universal SIM(USIM), 2G SIM). The SIM maybe provided on a removable card or may beembedded in an integrated circuit. For example the SIM may be providedon a UICC (Universal integrated circuit card). The SIM or similarfunctionality may have information defining networks to which theassociated communication device is forbidden to connect.

SUMMARY

According to any aspect there is provided a method comprising: causing anetwork access application or cellular authentication in a secureelement to be disabled by changing a status of security information.

The causing may be responsive to information being provided that saidnetwork access application is to be disabled.

The information may be entered by a user.

The information may be responsive to an occurrence of an event.

The event may comprise an input of emergency call information.

The method may comprise responsive to emergency call information beingentered, comparing said emergency call information with at least onestored emergency call information and if there is a match, disablingsaid network access application.

The secure element may comprise one or more of a universal integratedcard and a subscriber identity module.

The causing may comprise additionally disabling all of said secureelement or at least one additional application on said secure element.

The security information may comprise a personal identification number.

A status of said personal identification number may be changed bychanging a verification status of said personal identification number.

The method may comprise causing said network access application to beactivated using said security information.

The network access application may be activated after an event whichcauses said disabling of said network access application.

The network access application may be activated by an input of saidsecurity information.

An apparatus may be provided to perform any of the previous methods. Themethod may be performed in an apparatus. The method may be performed ina user equipment.

According to another aspect, there is provided a computer programcomprising computer executable instructions which when run cause the anyone of the above methods to be performed.

According to another aspect, there is provided an apparatus comprisingat least one processor and at least one memory including computer codefor one or more programs, the at least one memory and the computer codeconfigured, with the at least one processor, to cause the apparatus atleast to: cause a network access application or cellular authenticationto be disabled in a secure element by changing a status of securityinformation.

The at least one memory and the computer code may be configured with theat least one processor to cause the apparatus to cause the networkaccess application to be disabled responsive to information beingprovided that said network access application is to be disabled.

The information may be entered by a user.

The information may be responsive to an occurrence of an event.

The at least one memory and the computer code may be configured with theat least one processor to cause the apparatus to, responsive to anemergency call information being entered, compare said emergency callinformation with at least one stored emergency call information and ifthere is a match, to disable said network access application.

The secure element may comprise one or more of a universal integratedcard and a subscriber identity module.

The at least one memory and the computer code may be configured with theat least one processor to cause the apparatus to cause additionally thedisabling of all of said secure element or at least one additionalapplication on said secure element.

The security information may comprise a personal identification number.

The at least one memory and the computer code may be configured with theat least one processor to cause the apparatus to cause a status of saidpersonal identification number to be changed by changing a verificationstatus of said personal identification number.

The at least one memory and the computer code may be configured with theat least one processor to cause the apparatus to cause said networkaccess application to be activated using said security information.

The at least one memory and the computer code may be configured with theat least one processor to cause the apparatus to cause said networkaccess application to be activated after an event which caused saiddisabling of said network access application.

The at least one memory and the computer code may be configured with theat least one processor to cause the apparatus to said network accessapplication to be activated by an input of said security information.

According to another aspect, there is provided an apparatus comprising:means for causing a network access application or cellularauthentication in a secure element to be disabled by changing a statusof security information.

The causing means may be responsive to information being provided thatsaid network access application is to be disabled.

The information may be entered by a user.

The information may be responsive to an occurrence of an event.

The event may comprise an input of emergency call information.

The apparatus may comprise comparing means for, responsive to emergencycall information being entered, comparing said emergency callinformation with at least one stored emergency call information and ifthere is a match, causing said network access application to bedisabled.

The secure element may comprise one or more of a universal integratedcard and a subscriber identity module.

The causing means may be for additionally disabling all of said secureelement or at least one additional application on said secure element.

The security information comprises a personal identification number.

The causing means may be for changing a status of said personalidentification number by changing a verification status of said personalidentification number.

The causing means may be for activating said network access applicationusing said security information.

The causing means may be for activating said network access applicationis after an event which caused said disabling of said network accessapplication.

The causing means may be activating said network access application byan input of said security information.

A user equipment may comprise any of the above apparatus.

BRIEF DESCRIPTION OF FIGURES

Embodiments will now be described in further detail, by way of exampleonly, with reference to the following examples and accompanyingdrawings, in which:

FIG. 1 shows an example of a system wherein below described embodimentsmay be implemented;

FIG. 2 shows an example of a communication device;

FIG. 3 shows an example of a UICC;

FIG. 4 shows a first method; and

FIG. 5 shows a second method.

DETAILED DESCRIPTION OF EMBODIMENTS

In the following certain exemplifying embodiments are explained withreference to a wireless communication system serving devices adapted forwireless communication. Therefore, before explaining in detail theexemplifying embodiments, certain general principles of a wirelesssystem, components thereof, and devices for wireless communication arebriefly explained with reference to system 10 of FIG. 1, andcommunications device 20 of FIG. 2 to assist in understanding thetechnology underlying the described examples.

A communication device can be used for accessing various services and/orapplications provided via communication systems. In wireless or mobilecommunication systems the access is provided via a radio module instanceof the wireless access interface between mobile communication devicesand an appropriate access system. A communication device may accesswirelessly a communication system via a base station. The base stationmay be a macro, micro, femto (Home (e) Node base station) or pico basestation.

FIG. 1 shows by way of example a first base station 12 providing a firstcell 14 and a second base station 16 providing a second cell 18. This isa simplified version of the network. In practice a base station canprovide more than one cells. There may also be base stations arranged tohave cells overlying at least partially other cells. Of course inpractice more than two base stations may be provided. An enabledterminal may connect to more than one network and base station. Itshould be appreciated that in FIG. 1, one network is shown. In practicemore than one network may be provided which may at least partiallyoverlap the network shown.

The different networks may be provided by different network providers.The networks may operate in accordance with different standards.

Also shown in FIG. 1 is a communication device 20 in the cell 14associated with the first base station. The communication device 20 andbase station may have one or more radio channels open at the same timeand may receive signals from more than one source or network operator.

An example of a standardized architecture is known as the long-termevolution (LTE) of the Universal Mobile Telecommunications System (UMTS)radio-access technology. The LTE is being standardized by the 3rdGeneration Partnership Project (3GPP). The various development stages ofthe 3GPP LTE specifications are referred to as releases. A developmentof the LTE is often referred to as LTE-Advanced (LTE-A). Many marketsmove forward to utilize this technology and develop their own customizedversion of the technology by means of local standards e.g. China.

A communication device can access a communication system based onvarious access techniques, such as code division multiple access (CDMA),or wideband CDMA (WCDMA). The latter technique is used by communicationsystems based on the third Generation Partnership Project (3GPP)specifications and in some of the standardization in China. Otherexamples include time division multiple access (TDMA), frequencydivision multiple access (FDMA), space division multiple access (SDMA)or orthogonal frequency division multiple (OFDMA).

FIG. 2 shows a schematic, view of a communication device 20 that a usercan use for communications. Such a communication device is oftenreferred to as user equipment (UE) or terminal. The communication devicemay be mobile or have a generally fixed location. The device might be aconsumer product like a cellular phone or any other device enabled withcellular capability (smart device or device-to-device communication). Anappropriate communication device may be provided by any device capableof sending and receiving radio signals. Non-limiting examples include amobile station (MS) such as a mobile phone or what is known as a ‘smartphone’, a portable computer provided with a wireless interface card orother wireless interface facility, personal data assistant (PDA)provided with wireless communication capabilities or a tablet or laptopwith one or more wireless modems, or any combinations of these or thelike. A communication device may provide, for example, communication ofdata for carrying communications such as voice, electronic mail (email),text message, multimedia, positioning data, other data, and so on. Usersmay thus be offered and provided numerous services via theircommunication devices. Non-limiting examples of these services includetwo-way or multi-way calls, data communication or multimedia services orsimply an access to a data communications network system, such as theInternet.

A communication device is typically provided with at least one dataprocessing entity 23, at least one memory 24 and other possiblecomponents 29 for use in software and hardware aided execution of tasksit is designed to perform, including control of access to andcommunications with base stations and other communication devices. Theuser may control the operation of the communication device by means of asuitable user interface such as key pad 22, voice commands, touchsensitive screen or pad, combinations thereof or the like. A display 25,a speaker and a microphone are also typically provided. Furthermore, acommunication device may comprise appropriate connectors (either wiredor wireless) to other devices and/or for connecting externalaccessories, for example hands-free equipment, thereto.

The device 20 may receive and transmit signals 28 via appropriateapparatus for receiving and transmitting signals. In FIG. 2 transceiverapparatus is designated schematically by block 27. The transceiverapparatus is provided with radio capability. The transceiver may beprovided for example by means of a radio part and associated antennaarrangement. The antenna arrangement may be arranged internally orexternally to the mobile device.

Embodiments may provide a device having set of access credentials. Theset may comprise one or more access credentials. Examples of accesscredentials may be SIM (subscriber identification module) cards, USIM(universal subscriber identification module) applications on UICC(Universal Integrated Circuit Card) cards, and/or an embedded chip(eUICC) which holds the access credentials and related information andapplications.

For example, a UICC 31 is provided which may be provided on a eUICC. Inalternative embodiments, any other suitable secure data store may beused instead of the UICC. The UICC has a secure module that may hold oneor several network access applications (NAA) which contain cryptographickeys and related network data. Examples of such applications are SIM,USIM, IP Multimedia Subsystem SIM (ISIM), CDMA SIM (C-SIM), removableuser identity module (R-UIM). The UICC may also contain otherapplications that require entering of a personal identification number(PIN), for example banking applications, public transport applications,loyalty applications, credit or pre-paid applications.

The UICC or secure data store may have more than one application makingit possible for example to access different types of network and/or thesame type of network operated by different operators. In someembodiments there may be one UICC. In alternative embodiments there maybe two or more UICCs in one device and each of them holding NAA fordifferent network operators.

Currently if a SIM (subscriber identity module) card or UICC (universalintegrated circuit card) is inserted into the user equipment, the userequipment will try to use the networks available with that SIMcard/UICC. However, if the connection or coverage is not very good, thismay lead to the situation that the user has no coverage from an operatorwhich is allowed by the network parameters provided on the SIMcard/UICC. The network parameters may be part of the elementary file.The elementary file may include information on forbidden PLMN (publicland mobile network). If the user removes the card, this may allow theuser equipment to use networks for the emergency call which are notallowed by the SIM card or UICC to be used. This behavior is recommendedin some countries.

Where a user is roaming, the user can use his user equipment with theSIM card only with the network carriers or operators with which his homeoperator has a contract. If the SIM card is removed, the user inprinciple may be able to use any carrier or network operator in order tomake an emergency call.

However, this behavior is not possible for an embedded UICC. This isbecause the embedded SIM would be physically present.

The inventors have appreciated that there may be other reasons why aUICC should be disabled. For example, in some telecommunicationstandards specifications, the usage of the UICC is mandated, when it isavailable. This may imply that the user is bound to a specific networkaccess, for example he has to use the UICC and associated network (evenwhen roaming). This may be necessary even if a cheaper network type wereavailable. In these cases, non-cellular applications such as ticketingand payments should still be available to the user.

It should be appreciated that in some countries it is required that theSIM card be present for emergency calls. This is due to regulatoryrequirements in order to be able to trace the caller. In other countriesemergency calls have to be possible with a user equipment even if theSIM card is not present.

In some embodiments, a method is provided to disable the network accessapplications of a UICC. In particular, the UICC may be a eUICC (embeddedUICC).

If the eUICC is a separate integrated circuit, then the user equipmentmay simply cut off power to the eUICC to disable the NAA. However, thissolution may not always be appropriate. For example, some eUICC may beprovided in conjunction with applications such as payment, ticketing,NFC (near Field communication). If the eUICC is powered down, theseapplications would not be available. Additionally or alternatively, thisapproach would not work if the UICC is part of another chip such as thebase band chip.

In some embodiments, a verification status of the PIN (personalidentification number) can be reset. Currently, once verified, the PINverification status remains valid until the power to the SIM card orUICC card is removed. In some embodiments, a command is used to resetthe verification status of the PIN, making the SIM/USIM/ISIM applicationunavailable to the user equipment. This has a similar function asremoving the SIM card or UICC.

It should be appreciated that this resetting of the verification statusof the PIN can be used to disable the SIM or the relevant part of theUICC.

In some embodiments, a new command is provided to reset the verificationstatus of the PIN. Alternatively or additionally, an extension to theexisting verify PIN and/or disable PIN commands can be used to reset theverification status of the PIN. In this scenario the PIN verificationhas to be enabled as the access to the relevant NAA will be prohibitedby the PIN. If the PIN verification is disabled it means that access isalways granted, the PIN verification status has no meaning and logicallyis set to “verified”.

In some embodiments, the user equipment has access to emergency callcodes which are stored in the elementary file for emergency call codes(EF_ECC). The file is provided on the USIM and remains available even ifthe PIN verification status has been reset. The ECC file is present onthe USIM, the USIM is the 3GPP NAA on a UICC.

Reference is made to FIG. 4 which shows a method of an embodiment.

In step S1, a user equipment is used by a user to make an emergencycall.

In step S2, the user is asked to indicate if at least the NAA of theUICC and/or SIM should be made unavailable. In some embodiments, theuser equipment may be configured to automatically make the NAA of theUICC and/or SIM automatically unavailable if the end user makes anemergency call. In some embodiments, all of the UICC or SIM is madeunavailable.

In step S3, a check is made by the user equipment. In particular, theuser equipment determines if the input emergency call code matches anemergency call code included in the UICC. It should be appreciated thatin some embodiments, the country in which the user is located is takeninto account when determining if there is a match. Local numbers may bestored in the UE and/or local numbers may be downloaded to the terminal.In some embodiments, there may be some local numbers in the UE andadditional numbers are downloaded to the terminal.

In some embodiments, step S3 may take place before step S2. In someembodiments, the check may be performed by the processor of the userequipment running suitable program code.

In step S4, the user equipment will issue a reset PIN verificationstatus command to the UICC. Optionally, in some embodiments the user maybe prompted to provide an input prior to the UE issuing the reset PINverification status command. The issuing of the reset PIN verificationcommand may be dependent on the input from the user. The user mayberequested to indicate if the user is to input the PIN at this stage orany alternative indication. The input requested from the user may be OKor not OK or the like.

Alternatively in an emergency situation the user may not be asked andthe UE may use a “trial and error approach” to get an emergency line forthe user.

In step S5, the user equipment establishes a new connection to the mostsuitable operator for the emergency call. The user equipment is free tochoose any network or network operator. Thus, the user equipment iseffectively able to override the EF_FPLMN list which indicates thenetworks to which the user equipment is forbidden to attach normally. Ofcourse in some embodiments, the user equipment may be alternatively oradditionally overriding a list which indicates only those networks towhich the user equipment is permitted to attach.

In step S6, the user equipment determines that the emergency call iscompleted. The user equipment is then prompted to re-enter the PIN andis back to normal operation with his operator. In order for the UE towork, after the emergency call, the PIN has to be enabled. Theverification status is reset in order to prevent the access. The userthen needs to re-enter the PIN in order to get the access. The terminalmay automatically re-enter the PIN without user involvement in somealternative embodiments.

Reference is now made to FIG. 5 which shows another embodiment. In thisembodiment, the UICC is disabled for a reason other than emergencycalls. This may be for example for cheaper network connectivity. Itshould be appreciated that the network access application on the UICCwhich enables the user equipment connectivity may be a USIM (universalSIM) ISIM (integrated SIM) C-SIM (CDMA (code division multiple access)SIM), a SIM or similar. A UICC may hold a range of applications such asUSIM, payment, secure ID or the like.

In step T1, the user wants to prevent access to the NAA i.e. no mobileauthentication run is made with the network and the user equipment doesnot need to take into account the content in EF FPLMN, which wouldprevent it from using certain networks. This may as defined in forexample standards 3GPP TS 33.102 and TS. 33.401). Cellularauthentication is the authentication protocol) that is run toauthenticate the mobile device to the cellular network and (depending onprotocol) also the cellular network to the terminal.

In order to prevent the authentication from being possible, access tothe NAA is prevented. In order to prevent that, there are twoalternatives. Disabling it, which works always, or by not verifying theaccess condition to it, i.e. enter the PIN. The latter only works if theend user has the PIN verification enabled, and this can be changed bythe user. In step T2, the user equipment selects another application onthe same logical channel. The logical channel is a connection between anendpoint, application, in the terminal and an application on the UICC.In this case the UICC security system automatically will reset the PINverification status. This is required in order to prevent a third party,or third party application, to access an application on the UICC, e.g.USIM, ISIM, SIM using the granted access that the user has provided byentering the PIN for the application that is about to be selected. Ifthe PIN verification status is reset it requires that the third partyhas to have knowledge about the PIN value in order to get access. If thecorrect PIN value is not known to this third party it will not be ableto get access, as it not able to perform a successful PIN verification.This behaviour is specified in order to prevent third party access to anapplication using the access granted by the user or somebody else. Thisbehaviour is required in order to prevent unauthorised access by apotential malicious application in the user equipment or remotely.

In step T3, the PIN verification is reset. This maintains securityintegrity. In particular, the user is requested that they input the PIN.

In step T4, user equipment may not be able to make some paymentapplications but when for example doing single sign on, the user does noneed to use cellular credentials and connectivity from the USIM. Inother words, the user can use, NFC, WLAN or the like.

In step T5, if the user equipment wants to switch on the cellular orcellular authentication functionality, the user equipment re-enters thePIN.

Thus, in some embodiments, it is possible to disable the whole UICC, anapplication on the UICC or a profile associated with the UICC. A profilecan be considered to be the combination of a file structure, data andapplications to be provided onto or present on the UICC.

Embodiments have been described in terms of a UICC. It should beappreciated that other embodiments can be performed in association withother entities such as SIM cards or variants thereof. Some terminalssupport “flight mode” or the like and in this case the user would switchoff the UICC in order to prevent any unintended network access. If theusers switch off the UICC then the user would not be able in the flightmode to use payment or NFC payment applications on the UICC.Accordingly, in some embodiments it may be desirable to only switch offthe NAA.

In some embodiments, if there is a software crash when the UICC is inthe disabled phase, the cellular mode or NAA can be switched on again byentering the PIN.

Embodiments may not cut off the power to the entire UICC. Rather, insome embodiments, a network access application or a profile including anetwork access application may be disabled. This means that there may beother applications on the UICC which may be used whilst the UICC ispartially disabled. This may be of use where the UICC functionality isintegrated with other functions such as baseband or modem functions.

Some embodiments may be used in conjunction with a SIM or any othersuitable secure element.

Embodiments may be used where a communications device has at least onesecure module or element. This secure module or element maybe aremovable or non-removable part of the communications device.Alternatively or additionally the secure module or element may beprovided as part of the modem implementation. This secure module may bea SIM card, a UICC or other secure data store. The secure module mayhave processing capability associated there with.

Whilst PIN management is described by way of example, it should beappreciated that some embodiments may alternatively or additionally usepasswords or other access tokens.

A subscription in some embodiments may be used is used to describe anoperator profile or application e.g. CSIM (CDMA SIM), USIM, ISIM (IPMultimedia Subsystem SIM), R-UIM (removable user identity module), SIMor a combination of those. The operator profile or application might bestored on a removable secure element (UICC, secure data card) ornon-removable eUICC. Any combination of the above is also possible.

A 4 digit PIN is one method requested from the user, Howeveralternatively or additionally some embodiments may use more or less thana four digit pin, a password and/or other user provided access token.

Reference is made by way of example to FIG. 3 which shows schematicallya eUICC 32. The eUICC may include one or more of at least one processor38, at least one memory 40 and an input/output 42. The memory may takeany suitable format. The eUICC also has an additionally functionalitywhich may be for example baseband processing 36.

It should be appreciated that the embodiments may be implemented by oneor more computer programs running on one or more processors, hardware,firmware, dedicated circuits or any combinations of two or more of theabove. Some embodiments may make use of one or more memories. Forexample the computer programs may comprise computer executableinstructions which may be stored in one or more memories. When run, thecomputer program(s) may use data which is stored in one or morememories. The secure module may comprise at least some memory and/or atleast some processing functions which may perform some of the steps ofthe methods.

It is noted that whilst embodiments have been described in relation tocertain architectures, similar principles can be applied to othercommunication systems.

Therefore, although certain embodiments were described above by way ofexample with reference to certain exemplifying architectures forwireless networks, technologies and standards, embodiments may beapplied to any other suitable forms of communication systems than thoseillustrated and described herein. It is also noted that differentcombinations of different embodiments are possible. It is also notedherein that while the above describes exemplifying embodiments of theinvention, there are several variations and modifications which may bemade to the disclosed solution without departing from the scope of thepresent invention.

1-21. (canceled)
 22. A method comprising: causing a network accessapplication or cellular authentication in a secure element to bedisabled by changing a status of security information.
 23. A method asclaimed in claim 22, wherein said causing is responsive to informationbeing provided that said network access application is to be disabled.24. A method as claimed in claim 23, wherein said information is enteredby a user.
 25. A method as claimed in claim 23, wherein said informationis responsive to an occurrence of an event.
 26. A method as claimed inclaim 24, wherein said event comprises an input of emergency callinformation.
 27. A method as claimed in claim 22, wherein responsive toan emergency call information being entered, comparing said emergencycall information with at least one stored emergency call information andif there is a match, disabling said network access application.
 28. Amethod as claimed in claim 22, wherein said secure element comprises oneor more of a universal integrated circuit card and a subscriber identitymodule.
 29. A method as claimed in claim 28, wherein said causingcomprises additionally disabling all of said secure element or at leastone additional application on said secure element.
 30. A method asclaimed in claim 22, wherein said security information comprises apersonal identification number.
 31. A method as claimed in claim 30,wherein a status of said personal identification number is changed bychanging a verification status of said personal identification number.32. A method as claimed in claim 22, comprising causing said networkaccess application or cellular authentication to be activated using saidsecurity information.
 33. A method as claimed in claim 32, wherein saidnetwork access application is activated after an event which caused saiddisabling of said network access application or cellular authentication.34. A method as claimed in claim 32, wherein said network accessapplication or cellular authentication is activated by an input of saidsecurity information.
 35. An apparatus comprising at least one processorand at least one memory including computer code for one or moreprograms, the at least one memory and the computer code configured, withthe at least one processor, to cause the apparatus at least to: cause anetwork access application or cellular authentication in a secureelement to be disabled by changing a status of security information. 36.An apparatus as claimed in claim 35, wherein the at least one memory andthe computer code are configured with the at least one processor tocause the apparatus further to: cause the network access application orcellular authentication to be disabled responsive to information beingprovided that said network access application is to be disabled.
 37. Anapparatus as claimed in claim 35, wherein the at least one memory andthe computer code are configured with the at least one processor tocause the apparatus further to: cause the network access application orcellular authentication to be disabled responsive to an input ofemergency call information
 38. Apparatus as claimed in claim 35, whereinthe at least one memory and the computer code are configured with the atleast one processor to cause the apparatus further to, responsive to anemergency call information being entered, compare said emergency callinformation with at least one stored emergency call information and ifthere is a match, to disable said network access application or cellularauthentication.
 39. An apparatus as claimed in claim 35, wherein saidsecure element comprises one or more of a universal integrated circuitcard and a subscriber identity module.
 40. An apparatus as claimed inclaim 35, wherein the at least one memory and the computer code areconfigured with the at least one processor to cause the apparatusfurther to: cause additionally the disabling of all of said secureelement or at least one additional application on said secure element.41. A user equipment comprising an apparatus as claimed in claim 35.